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Abstract. We study synthesis of controllers for real-time systems, where the objective is to stay in a given safe set. 
The problem is solved by obtaining winning strategies in concurrent two-player timed automaton games with safety 
objectives. To prevent a player from winning by blocking time, we restrict each player to strategies that ensure that 
. the player cannot be responsible for causing a zeno run. We construct winning strategies for the controller which 

' require access only to (1) the system clocks (thus, controllers which require their own internal infinitely precise clocks 

are not necessary), and (2) a linear (in the number of clocks) number of memory bits. Precisely, we show that a 
memory of size {3 -101 + 1 + lg(|C| + 1)) bits suflices for winning controller strategies for safety objectives, where 
C is the set of clocks of the timed automaton game, significantly improving the previous known exponential bound. 
We also settle the open question of whether region strategies for controllers require memory for safety objectives by 
showing with an example that region strategies do require memory for safety objectives. 
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O 1 Introduction 

\ Synthesizing controllers to ensure that a plant stays in a safe set is an important problem in the area of 
systems control. We study the synthesis of timed controllers in the present paper. Our formalism is based on 
timed automata [AD94], which are models of real-time systems in which states consist of discrete locations and 
values for real-time clocks. The transitions between locations are dependent on the clock values. The real-time 
controller synthesis problem is modeled using timed automaton games, which are played by two players on timed 
' automata, where player 1 is the "controller" and player 2 the "plant" . Obtaining winning strategies for player 1 
in such games corresponds to the construction of controllers for real-time systems with desired objectives. 
The issue of time divergence is crucial in timed games, as a naive control strategy might simply block time, 
' leading to "zeno" runs. The following approaches have been proposed to avoid such invalid zeno solutions: 
. (1) discretize time so that players can only take transitions at integer multiples of some fixed time period, 
\ e.g. in [HK99]; (2) put syntactic restrictions on the timed game structure so that zeno runs are not possi- 
' ble (the syntactic restriction is usually presented as the strong non-zenoness assumption where the obtained 
^ controller synthesis algorithms are guaranteed to work correctly only on timed automaton games where every 
^ [ cycle is such that in it some clock is reset to and is also greater than an integer value at some point, e.g. 
- - ' in [AM99,BBL04,PAMS98]); (3) require player 1 to ensure time divergence (e.g. by only taking transitions if 
player 2 can never take transitions in the future from the current location, as in [DM02,BDMP03]); (4) give the 
controller access to an extra (infinitely precise) clock which measure global time and require that player 1 wins 
if either its moves are chosen only finitely often, or if the ticks of this extra clock are seen infinitely often while 
satisfying the desired objective, e.g, in [dAFH+03,AH97]. 

The above approaches are not optimal in many cases and below we point out some drawbacks. Discretizing 
the system blows up the state space; and might not be faithful to the real-time semantics. Putting syntactic 
restrictions is troublesome as it can lead to disallowing certain system models. For example, consider the timed 
automaton game T in Figure 1. The details of the game are not important and are omitted here for the sake 
of brevity. In the figure, the edges are labelled as a-[ for actions controlled by player 1; and by 03 for actions 
controlled by player 2. The safety objective is to avoid the location "Bad" (player 1 can satisfy this objective 
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Fig. 1. A timed automaton game. 



without blocking time). One can easily show that zeno runs are possible in this timed automaton game, mainly, 
due to the edges 0-2 and a^. The game 7 can be made to be non-zeno syntactically by changing the guards of the 
edges a2 and 02 to 1 > a; > d, where d is some conservative constant (say 0.001 time units , where it is assumed 
that the plant takes at least 0.001 time units to transition out of li and 12). This change unfortunately blows up 
the finite state region abstraction of the timed automaton game (the region abstraction is used in every current 
solution to the real-time controller synthesis problem for timed automaton games). If the constant d is 0.001, 
then the number of states in the region abstraction blows up from roughly 2.5 * 10^ for the original game to 
2.5 * 10^ * 10^; a blow up by a factor of lO'^. Admittedly however, on the fly algorithms for controller synthesis 
may help mitigate the situation in some cases ([CDF"*" 05]) by not explicitly constructing the full graph of the 
region abstraction. 

Requiring player 1 to guarantee time divergence by only taking transitions if player 2 cannot take transitions 
from the current location is too conservative. If we consider the game in Figure 1, this approach would prevent 
player 1 from taking any of the actions, making the system uncontrollable. Finally, adding an extra infinitely 
precise clock to measure time, and making it observable to the controller amounts to giving unfair and unrealistic 
power to the controller in many situations. 

In the present paper, we avoid the shortcomings of the previous approaches by using two techniques. First, 
we use receptive [AH97,SGSAL98], player-1 strategies, which, while being required to not prevent time from 
diverging, are not required to ensure time divergence. Rcccptiveness is incorporated by using the more general, 
semantic and fully symmetric formalism of [dAFH+03] for dealing with the issue of time divergence. This 
setting places no syntactic restriction on the game structure, and gives both players equally powerful options 
for advancing time, but for a player to win, it must not be responsible for causing time to converge. Formally, 
our timed games proceed in an infinite sequence of rounds. In each round, both players simultaneously propose 
moves, with each move consisting of an action and a time delay after which the player wants the proposed 
action to take place. Of the two proposed moves, the move with the shorter time delay "wins" the round and 
determines the next state of the game. Let a set # of runs be the desired objective for player 1. Then player 1 
has a winning strategy for if it has a strategy to ensure that, no matter what player 2 does, one of the 
following two conditions hold: (1) time diverges and the resulting run belongs to ^, or (2) time does not diverge 
but player- I's moves are chosen only finitely often (and thus it is not to be blamed for the convergence of time). 
Second, in the current work, the controller only uses the system clocks of the model (unlike [dAFH+03] which 
makes available to the controller an extra infinitely precise clock to measure time) , ensuring that the controller 
bases its actions only on the variables corresponding to the physical processes of the system (the system clocks). 
Time divergence is inferred from the history of certain predicates of the system clocks, rather than from an 
extra infinitely precise clock that the controller has to keep in memory. 
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Contributions. Our current work significantly improves the results of [CHP08]. In [CHP08] we showed that 
finite-memory receptive strategies suffice for safety objective in timed automaton games; the problem of estab- 
lishing a memory bound was left open. In this paper, we first show that a basic analysis using Zielonka trees of 
the characterization of receptive strategies of [CHP08] leads to an exponential number of bits for the memory 
bound (in the number of clocks) for the winning strategies. We then present an improved new characterization 
of receptive strategies for safety objectives which allows us to obtain a linear number of bits for the memory 
bound for winning strategies. Precisely, we show that a memory of size (3 • \C\ + 1 + lg(|C| + 1)) bits suffices 
for winning receptive strategies for safety objectives, where C is the set of clocks of the timed automaton game, 
considerably improving the exponential bound obtained from the previous result. Finally, we settle the open 
question of whether region strategies for controllers require memory for safety objectives. We show with an 
example that region strategies in general do require memory for safety objectives. 

2 Timed Games 

2.1 Timed Game Structures 

In this Subsection we present the definitions of timed game structures, runs, objectives, strategies and the 
notions of sure and almost-sure winning in timed game structures. 

Timed game structures. A timed game structure is a tuple S = {S, Ai, A2, Fi, r2,S) with the following 
components. 

— 5 is a set of states. 

— Ai and A2 are two disjoint sets of actions for players 1 and 2, respectively. We assume that J-i ^ Ai, and 
write Af' for yljU{_Lj}. The set of moves for player i is Mj = IR>o x Intuitively, a move {A,ai) by 
player i indicates a waiting period of A time units followed by a discrete transition labeled with action Oj. 
The move {A, _Lj) is used to represent the move of player i where player-z just lets time elapse for A time 
units without taking any of the discrete actions from A^. 

— Fj : S ^ 2^^* \ are two move assignments. At every state s, the set contains the moves that are 
available to player i. We require that (0, _L) G Fi^s) for all states s G 5 and i € {1, 2}. Intuitively, (0, -Lj) is 
a time-blocking stutter move. 

— 5 : S X (Ml U M2) I— >• 5 is the transition function. We require that for all time delays A, A' G lR>o with 
A' < A, and all actions m G we have (1) (Z\,a.j) G Fi{s) iff both {A' , ±i) G Fi{s) and {A - A',ai) G 
Fi{6{s, {A',±i))); and (2) if S{s, {A',±i)) = s' and 5{s', {A - A',ai)) = s", then S{s, {A,ai)) = s" . 

The game proceeds as follows. If the current state of the game is s, then both players simultaneously propose 
moves (Z\i,ai) G Fi{s) and (Z\2,(i2) € F2{s). The move with the shorter duration "wins" in determining the 
next state of the game. If both moves have the same duration, then player 2 determines whether the next state 
will be determined by its move, or by the move of player 1. We use this setting as our goal is to compute the 
winning set for player 1 against all possible strategies of player 2. Formally, we define the joint destination 
function 6-^^ : S x Mi x M2 ^ 2^ by 

( {5{s,{Ai,ai))} iiAi<A2; 
5id{s,{^i,ai),{A2,a2)) = \ {5(s, (Z\2, 02))} A2 < Ar, 

( {6{s, {A2,a2)),S{s, (Z\i,ai))} if A2 = A^. 

The time elapsed when the moves mi = (Z\i,ai) and m2 = {A2,a2) are proposed is given by delay(mi, 771,2) = 
min(Z\i, A2). The boolean predicate blamei(s, mi,m2, s') indicates whether player i is "responsible" for the state 
change from s to s' when the moves mi and m2 are proposed. Denoting the opponent of player i by ~z = 3 — i, 
for i G {1, 2}, we define 

b\amei{s,{Ai,ai),{A2,a2),s') = (A < A 6{s, {Ai,ai)) = s'). 
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Runs. A run of the timed game structure 9 is an infinite sequence r = sq, (m5, 771,2), si, ("^ii "^2)' • • ■ ^^^^ ^^^^ 
Sfe G 5 and G -'l(sfc) and s^+i ^ "^jdCsfc) 'ti^, ml) for all > and i G {1, 2}. For k >0, let time(r, k) denote 
the "time" at position k of the run, namely, time(r, A;) = ^^.~q delay (mj, 7712) (we let time(r, 0) = 0). By r[k] 
we denote the (A; + l)-th state of r. The run prefix r[0..k] is the finite prefix of the run r that ends in the 
state Sk- Let Runs be the set of all runs of S, and let FinRuns be the set of run prefixes. 

Objectives. An objective for the timed game structure S is a set # C Runs of runs. We will be interested in 
the classical safety objectives. Given a set of states Y, the safety objective consists of the set of runs that stay 
within Y, formally, Safe(y) = {r | for all i we have r[i] G Y}. To solve timed games for safety objectives, we 
shall need to solve for for certain a;-regular objectives (see [Tho97] for the definition of CiJ-regular sets). 

Strategies. A strategy for a player is a recipe that specifies how to extend a run. Formally, a probabilistic 
strategy tt^ for player i G {1,2} is a function tTj that assigns to every run prefix r[0..fc] a probability measure 
P^|°"'^' over ri{r[k]), the set of moves available to player i at the state r[k] (the event class can be suitably 
chosen). Pure strategies are strategies for which the state space of the probability distribution of P-^- " is a 
singleton set for every run r and all k. We let n'^"'^ denote the set of pure strategies for player i, with i G {1, 2}. 
We call probability distributions with singleton support sets as pure distributions. 

For i G {1,2}, let TTj be the set of strategies for player i. If both both players propose the same time 
delay, then the tie is broken by a scheduler. Let TieBreak be the set of functions from lR>o x x A2 to 
{1,2}. A scheduler strategy VTsched is a mapping from FinRuns to TieBreak. If vrsi-hed(^[0-.A]) = /i, then the 
resulting state given player 1 and player 2 moves {A, ai) and (Z\, 02) respectively, is determined by the move of 
player /i(/A, ai, 02). We denote the set of all scheduler strategies by iTgched- Given two strategies tti G iTi and 
7i"2 £ -^2, the set of possible outcomes of the game starting from a state s G is denoted Outcomes(s, vri, 7r2). 
We let OutcomeSjt(s, VTi, 7r2) denote the set of finite runs r[O..A; — 1] which are possible according to the two 
strategies given the initial state s. If we fix the scheduler strategy TTgched then the set of possible outcomes is 
denoted by Outcomes(s, tti, 772, TTsched)- Given strategies tti and 7r2, for player 1 and player 2, respectively, a 
scheduler strategy vTsched and a starting state s we denote by Prji''^2,7rsched(^.) ^j^g probability space over Runs 
given the strategies and the initial state s. 

Receptive strategies. We will be interested in strategies that are meaningful (in the sense that they do not 
block time). To define them formally we first present the following two sets of runs. 

— A run r is time-divergent if \im.k^^ time(r, k) = 00. We denote by Timediv the set of all time-divergent runs. 

— The set BlamelesSi C Runs consists of the set of runs in which player i is responsible only for finitely many 
transitions. A run sq, {ml, mg), si, (m}, mg), . . . belongs to the set BlamelesSj, for i = {1, 2}, if there exists 
a A; > such that for all j > k, we have -< blamej(sj, m\,m2, Sj+i). 

A strategy vTj is receptive if for all strategies vr^j, all states s E S, and all runs r G Outcomes(s, tti, 712), either 
r G Timediv or r G Blameless^. Thus, no what matter what the opponent does, a receptive strategy of player i 
cannot be responsible for blocking time. Strategies that are not receptive are not physically meaningful. A 
timed game structure 9 is well-formed if both players have receptive strategies. We restrict our attention to 
well-formed timed game structures. We denote ij/^ to be the set of receptive strategies for player i. Note that 
for TTi G il/^, 7r2 G il^^, we have Outcomes(,s, vri, 7r2) C Timediv. 

Sure and almost-sure winning modes. Let Sure^(<^) (resp. AlmostSure^(<P)) be the set of states s in 9 such 
that player 1 has a receptive strategy tti G such that for all scheduler strategies TTgched € ilsched and for 
all player-2 receptive strategies 7r2 G we have Outcomes(s, tti, 772) C # (resp. Prji''^2,7rsched(^^) = Such a 
winning strategy is said to be a sure (resp. almost sure) winning receptive strategy. In computing the winning 
sets, we shall quantify over all strategies, but modify the objective to take care of time divergence. Given an 
objective #, let TimeDivBli(<?) = (Timedivfi 0) U (Blamelessi \ Timediv), i.e., TimeDivBli(<P) denotes the set of 
paths such that either time diverges and # holds, or else time converges and player 1 is not responsible for 
time to converge. A playcr-1 strategy is hence receptive iff it ensures that against all player-2 strategies, the 
resulting runs belong to TimeDivBli(Runs). Let Sure ^(<P) (resp. AimostSure j^ (4>)) be the set of states in 9 such 
that for all s G Suref (<P) (resp. AlrnostSure^(^)), player 1 has a strategy vri G iTi such that for all strategies for 
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all scheduler strategies VTsched € ilsched and for all player-2 strategies 712 G il2, we have Outcomes(s, tti, 7r2) C # 
(resp. PrJi'^^^.TTschedj^^) = Such a winning strategy is said to be a sure (resp. almost sure) winning for the 
non-receptive game. The following result establishes the connection between Sure and Sure sets. 

Theorem 1 ([HP06]). For all well-formed timed game structures S; and for all uj-regular objectives we 
have Suref (TimeDivBli(<P)) = Suref (#). 

We observe here that TimeDivBli(^) is not equivalent to (-1 Blamelessi) — )■ Timedivfl^. Player 1 loses even 
if it does not get moves infinitely often, provided time diverges and the run does not belong to #. 

2.2 Timed Automaton Games 

In this Subsection we define a special class of timed game structures, namely, timed automaton games, and the 
notion of region equivalence. 

Timed automaton games. Timed automata [AD94] suggest a finite syntax for specifying infinite-state timed 
game structures. A timed automaton game is a tuple T = (L, C, ^1, j42, E, 7) with the following components: 

— L is a finite set of locations. 

— C is a finite set of clocks. 

— Ai and A2 are two disjoint sets of actions for players 1 and 2, respectively. 

— E C L X (Ai U A2) X Constr(C) x L x 2*-^ is the edge relation, where the set Constr(C) of clock constraints 
is generated by the grammar 

9::=x<d\d<x\^e\eiA 6*2 

for clock variables x G C and nonnegative integer constants d. For an edge e = {l,ai,6,l' , X), the 
clock constraint 9 acts as a guard on the clock values which specifies when the edge e can be taken, 
and by taking the edge e, the clocks in the set A C C are reset to 0. We require that for all edges 
{l,ai,9' ,1' , X'), {I, ai,9" ,1" , X") S E with I' 7^ I", the conjunction 6' A 9" is unsatisfiable. This requirement 
ensures that a state and a move together uniquely determine a successor state. 

— 7 : L !->■ Constr(C) is a function that assigns to every location an invariant for both players. All clocks 
increase uniformly at the same rate. When at location /, each player i must propose a move out of / before 
the invariant ^{l) expires. Thus, the game can stay at a location only as long as the invariant is satisfied by 
the clock values. 

A clock valuation is a function k : C >—?■ lR>o that maps every clock to a nonnegative real. The set of all clock 
valuations for C is denoted by K(C). Given a clock valuation k G K{C) and a time delay A G IR>o, we write 
K + Aior the clock valuation in K{C) defined by {k.-\-A){x) = k{x)-\-A for all clocks x G C For a subset A C C 
of the clocks, we write k[A := 0] for the clock valuation in K{C) defined by (k[A := 0])(x) = if x G A, and 
(k[A := 0])(x) = k{x) if X a. a clock valuation k G K{C) satisfies the clock constraint 9 G Constr(C), written 
k\= 9, \i the condition 9 holds when all clocks in C take on the values specified by k. A state s = {I, n) of the 
timed automaton game T is a location I G L together with a clock valuation k G K{C) such that the invariant 
at the location is satisfied, that is, k \= 7(Z). Let S be the set of all states of 7. In a state, each player i proposes 
a time delay allowed by the invariant map 7, together either with the action _L, or with an action aj G Ai such 
that an edge labeled Oj is enabled after the proposed time delay. We require that for i G {1, 2} and for all states 
s = {I, k), ii k \= 7(Z), either k + A \= 7(Z) for all A G JR>o, or there exist a time delay A G ]R>o and an edge 
(/, ai, 9, 1', X) e E such that (1) a, G Ai and (2) k + A\=9 and for all < A' < A, we have k + A' \= j{l), and 
(3) {k + A)[X := 0] 1= 7(/'). This requirement is necessary (but not sufficient) for well-formedness of the game. 
The timed automaton game T defines the following timed game structure |T] = {S, Ai, A2,ri,r2,5): 

— S = {{I, k) \ I G L and k{1) satisfies 

— For i G {1,2}, the set ri({l,K)) contains the following elements: 

1. {A, ±i) if for all < A' < A, we have k + A'^ 7(/). 
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2. [A, Gi) if for all < A' < A, we have k + A' \= ^{1), ai G A^, and there exists an edge {I, ai, 9, 1', X) e E 
such that K + A \= 9. 

— The transition function S is specified by: 

1. S{{l,K),{A,±i)) = {l,K + A). 

2. 5{{1,k), (Z\,ai)) = {V, (k + Z\)[A := 0]) for the unique edge {l,ai,9,l',X) € E with k + A^9. 

The timed game structure [T] is not necessarily well-formed, because it may contain cycles along which time 
cannot diverge. Well-formedness of timed automaton games can be checked in EXPTIME [HP06]. We restrict 
our focus to well-formed timed automaton games in this paper. We shall also restrict our attention to random- 
ization over time — a random move of a player in a timed automaton game will consist of a distribution over 
time over some interval /, denoted , together with a discrete action Oj. 

Clock region equivalence. Timed automaton games can be solved using a region construction from the theory 
of timed automata [AD94]. For a real t > 0, let frac(t) = t — \ t\ denote the fractional part of t. Given a timed 
automaton game T, for each clock x G C, let Cx denote the largest integer constant that appears in any clock 
constraint involving x in T (let c^; = 1 if there is no clock constraint involving x). Two clock valuations ki,K2 
are said to be region equivalent, denoted by ki = K2 when all the following conditions hold. 

1. For all clocks x with ki(x) < Cx and K2{x) < Cx, we have [ki(.t)J = [k2(x)J. 

2. For all clocks x,y with Ki{x) < Cx and Ki{y) < Cy, we have frac(/{i(x)) < frac(Avi(j/)) iff hac{K2{x)) < 
frac(/t2(y))- 

3. For all clocks x with ki{x) < Cx and K2{x) < Cx, we have frac(Ki(.T)) = iff frac(K2(a;)) = 0. 

4. For any clock x, ki{x) > Cx iff K2{x) > Cx- Two states {ki,Ii) and are region equivalent iff Zi = I2 

and Ki = K2. 

A region R oi a timed automaton game 7 is an equivalence class of states with respect to the region equivalence 
relation. 

Representing regions. We find it useful to sometimes denote a region Rhy a tuple {I, h, V{C)) where 

— Z is a location of T. 

— /i is a function which specifies the integer values of clocks /i : C — ^ (IN n [0, M]) (M is the largest constant 
in 7). 

— V{C) is a disjoint partition of the clocks into the tuple (C_i, Co, . . . C„) such that {C_i, Co, • • • C„ | tblCj = 
C, Ci 7^ for i > 0}. 

A state s with clock valuation k is then in the region R when all the following conditions hold. 

1. The location of s corresponds to the location of R. 

2. For all clocks x with k{x) < Cx, \_k(x)\ = h{x). 

3. For n{x) > Cx, h{x) = Cx- 

4. For all pair of clocks (x, y), with n{x) < Cx and K{y) < Cy, we have frac(«;(x)) < frac(K(y)) iff x G Cj and y G 
Cj with < i < j (so, x,y £ Ck with k>0 implies frac(K(x)) = frac(/c(y))). 

5. For k{x) < Cx, frac(K(x)) = iff a; G Co. 

6. a; G C_i iff k{x) > Cx- 

There arc finitely many clock regions; more precisely, the number of clock regions is bounded by \L\ ■ Y\xec(^^ 
1)-|C|!- 221^1. 

Region equivalent runs. For a state s G S", we write Reg(s) C S for the clock region containing s. For a 
run r, we let the region flow sequence Reg(r) be the sequence of regions Rq,Ri, ■ ■ ■ which intuitively denotes 
the regions encountered (including those during time passage specified by moves) in r. Formally, Reg(r) is the 
region sequence Rq, Ri, • • • is such that there exist ip, = < ii < i2 ■ ■ ■ with (1) Reg(r[j]) = ; (2) Rk^ 7^ iJ^j 

for ij < ki < k2 < ij+i for any ij; and (3) if r = sq, (m5,m2),si, {m\,m2), • • • , and r[j -|- 1] = 6{r[j],mp) 
(for p G {0, 1}), with nip = {A, a); then Ri.,Ri.^i,Ri.^2, ■ ■ ■ Rij+i-i are the unique regions encountered when 
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A time passes from r[j]. The region flow sequence of a run is unique. Two runs r,r' are region equivalent if 

(1) their region flow sequences are the same, and (2) Reg(r[j]) = Reg(r'[j]) for all j > 0. Region equivalence 
for finite runs can be defined similarly. We similarly define location equivalence for runs (note that a location 
flow sequence is just the sequence of locations of the states in a run). An w-regular objective # is a location 
objective if for all location-equivalent runs r, r', we have r G # iff r' G A parity index function J7 is a location 
parity index function if J7(si) = f2{s2) whenever si and S2 have the same location. Henceforth, we shall restrict 
our attention to location objectives. 

Region equivalent strategies. Given a strategy vr, a run prefix r[0../c], a region R, and an action Oj G A^, let 
W{7r,r[0..k],R,ai) denote the set {{A,ai) \ {A,ai) G Support(7r(r[0..fc])) and Reg(r[A;] + A) = R}). A strategy 
TTi is a region strategy, if for all run prefixes ri[O..A;] and r2[0..fc] such that Reg(ri[O..A;]) = Reg(r2[0../c]), and for 
all regions R and player-1 actions ai G A^, we have (1) W{Tri,ri[0..k], R,a\) = iff >V(7ri, r2[0..A;], i?, oi) = 0; 
and (2) P;jt°-''l(>V(7ri,ri[0..fc],i?,ai)) = P^f '°-*'^(W(7ri, r2[0..A;], ai)). The definition for player 2 strategies 
is analogous. Two region strategies vri and tt[ are region-equivalent if for all run prefixes r[O..A;], and for all 
regions R and player-1 actions ai G Aj^, we have (1) yV{'Tri,r[0..k], R,ai) = iff >V(7r^, r[0..fc], P, ai) = 0; and 

(2) P;f--'=l(W(7ri,r[0..fc],P,ai)) = P;f--'^](>V(7ri,r[0..A:],P,ai)). 

2.3 Winning Sets and Winning Strategies for Timed Automaton Games 

In this Subsection we present the computation of winning sets for timed automaton games based on the frame- 
work of [dAFH+03], and derive various basic properties of winning strategies. 

Encoding Time-Divergence by Enlarging the Game Structure. Given a timed automaton game 7, 
consider the enlarged game structure 7 (based mostly on the construction in [dAFH+03]) with the state space 
S"^ C S X IR[o,i) X {true, false}^, and an augmented transition relation : x (Mi U M2) i-)- S'^. In an 

augmented state (5,3, tick, bli) G S"^ , the component s G S* is a state of the original game structure [T], 3 is 
value of a fictitious clock z which gets reset to every time it crosses 1 (i.e., if k! is the clock valuation resulting 
from letting time A elapse from an initial clock valuation k, then, k'{z) = {k{z) + A) mod 1), tick is true 
iff z crossed 1 at last transition and hl\ is true if player 1 is to blame for the last transition (ie., blamei is 
true for the last transition). Note that any strategy tt-i in [T], can be considered a strategy in T. The values 
of the clock z, tick and hli correspond to the values each player keeps in memory in constructing his strategy. 
Given any initial value of 3 = i*,tick = tick*, hli = hl\; any run r in T has a corresponding unique run r 
in T with f[0] = (r[0],3*, tick* , hl\) such that r is a projection of f onto 7. For an objective <P, we can now 
encode timc-divcrgcncc as the objective: TimeDivBli(^) = (DO tick (p) A (-iDO tick OD-i bli), where □ 
and O are the standard LTL modalities ("always" and "eventually" respectively), the combinations and 
on denoting "infinitely often" and "all but for a finite number of steps" respectively. This is formalized in the 
following proposition. 

Proposition 1 (TimeDivBli() in terms of tick,bli). Let 7 be a timed automaton game and 
7 be the corresponding enlarged game structure. Let be an objective on 7. Consider a run 
r = , {mi,m2), , {m,l, m2) , ■ ■ ■ in 7. Let r denote the corresponding run in 7 such that r = 
{s^,f,tick^,bl\),{m\,m^),{s'',l'',tick^,bl\),{m\,m\) with = 0,tick^ = FALSE, 6/? = FALSE. Then r G 
T\meD\\/B\i{0) iff r e {{aO tick 0) A {-^aO tick ^ Oa^ bh)) 

Proof. Time diverges in the run r iff it diverges in the corresponding run f. Also, the run r belongs to Blamelessi 
iff the run r belongs to Blamelessi, which happens iff player 1 is blamed only finitely often, ie., OQ-i bli holds. 
Hence r G TimeDivBli(^) iff r G TimeDivBli(<P). The result follows from noting that time diverges iff time 
crosses integer boundaries infinitely often, which happens iff DO tick holds. □ 

The following lemma states that because of the correspondence between 7 and 7, we can obtain the winning 
sets of 7 by obtaining the winning sets in 7. 
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Lemma 1 (Equivalence of winning sets of 7 and CT). Let 7 be a timed automaton game and 7 be the 
corresponding enlarged game structure. Let <P be an objective on 7. Given any state s of 7, we have s G 
Sure?'(TimeDivBli(#)) (s, 0, false, false) g Sure?((DO ^»cfc 0) A {^UO tick ^ On^ bh)) . 

Proof. Consider a state s of T, and a corresponding state (s, 0, false, false) of 7. The variables i,tick and 
bl\ only "observe" properties in T, they do not restrict transitions. Thus, given a run r of T from s, there is a 
unique run f of T from (s, 0, FALSE, FALSE) and vice versa. Similarly, any playcr-i strategy vTi in 7 corresponds to 
a strategy vfj in T; and any strategy vfj in T corresponds to a strategy vTj in T such that both strategies propose 
the same moves for corresponding runs. The result then follows from Proposition 1. □ 

Let K be a valuation for the clocks in C = C U {z}. A state of T can then be considered as {{1,k), tick, bli). 
We extend the clock equivalence relation to these expanded states: {{1,k) tick, bli) = {{I' ,k') , tick' , bl'i) iff 
I = I' , tick = tick' , bli = bl'^ and k = k' . We let {I, tick, bli) be the "locations" in 7. For every w-regular location 
objective # of 7, we have TimeDivBI(<P) to be an w-regular location objective of 7. 

We start first recall the statement of a classical result of [AD94] that the region equivalence relation induces 
a time abstract bisimulation on the regions. 

Lemma 2 ([AD94]). Let Y,Y' be regions in the timed game structure 7. Suppose player i has a move from 
si eY to s'l G Y' , for i G {1, 2}. Then, for any S2 G Y, player i has a move from S2 to some s'2 G Y' . 

Let y, F/, Y2 be regions. We prove in Lemma 3 that one of the following two conditions hold: (a) for all states 
in Y there is a move for player 1 with destination in Y{, such that against all player 2 moves with destination in 
Y2, the next state is guarenteed to be in y/; or (b) for all states in Y for all moves for player 1 with destination 
in y/ there is a move of player 2 to ensure that the next state is in Y2\ or (c) if Y"/ = Y2 (except for the bli 
component) , then player 2 can pick the same time delay as player 1 and hence the winning move is decided by 
the scheduler. The proof of the lemma is in the appendix. 

Lemma 3 (Regions suffice for determining winning move). Let 7 be a timed automaton game, and let 
y, y/, Y2 be regions in the corresponding enlarged timed game structure 7. Suppose player-i has a move {Ai, _Lj) 
from some s" G y to Sj G Y- , for i G {1, 2}. Then, for all states s G y and for all player-1 moves mf = {Ai,ai) 
with 's + A\E Y(, one of the following cases must hold. 

1. Y( 7^ Y2 and for all moves = {A2,a2) of player- 2 with 's + A2 E: Y2, we have Ai < A2 (and hence 
blamei(s,mf, 771-2,5(5, mf)) = TRUE and blame2(s, mf , m^, 5(s, m^)) = falseJ. 

2. y/ 7^ Y2 and for all player-2 moves ml = (Z\2,o.2) with 7 + A2 € Y2, we have A2 < Ai (and hence 
blame2(s', mf , ml, (^(s, ml)) = true and blamei(s, mf , m|, 5(s, mf )) = falseJ. 

3. Y( = Y2 and there exists a player 2 move m| = {A2,a2) with Z\2 G y2' such that A\ = A2 (and hence 
blamei(s, mf,m2,(5(s", mf)) = TRUE and blame2(s", mf , ml, (5(s", ml)) = TRUEj. 

We now show that (1) pure strategies of player 1 suffice for winning from Surei states; and (2) pure strategies 
of player 2 suffice for spoiling from states that are not Surei. 

Lemma 4 (Existence of pure strategies for sure winning sets). Let 9 be a timed game structure, and 
let be an objective of 9- 

1. Pure strategies of player 1 suffice for winning from Sure^(<P). 

2. Pure strategies of player 2 suffice for preventing sure winning of player 1 from states outside of Suref{0). 

Proof. 1. Let vri be a sure-winning player-1 receptive strategy. Consider any player-1 pure receptive strategy 
ir'i such that for any run r of S, we have 7r'^(r[0..fe]) G Support(7ri(r[0..A;])). Since tti is sure-winning, tt'^ must 
be sure winning too. 
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2. Let s ^ Sure^{(P) and let tti be any player-1 receptive strategy. Let 7r2 be a player-2 spoiling receptive 
strategy against vri for the state s. We have Outcomes(s, tti, 7r2) ^ This means there exists a run r* = 
So, {m\, m2), si, (mj, 717.2), • • • ^'^^^ "^-f £ Support(7rj(r*[0..A;])) for z G {1, 2} such that r* ^ Consider the 
pure player-2 receptive strategy such that 



The receptive strategy spoils tti from winning surely from s as r* belongs to Outcomes(s, tti, TTg), and is 



Lemma 4 gives us the following corollary which states that Sure ^ sets are equal to the winning sets if only 
pure strategies are allowed for both players. 

Corollary 1 (Equivalence of Pure ^ and Sure ^ sets). Let 7 he a timed automaton game and 7 he the corre- 
sponding enlarged game structure. Let^ be an oj-regular location objective of 7, and let Pure j^(<P) denote the win- 
ning set for player 1 when both players are restricted to using only pure strategies. Then, Pure^(^) = Sure^(#). 

A yu-calculus formulation for describing the sure winning sets. Given an w-regular objective ^ of 
the expanded game structure T, a yU-calculus formula Lp to describe the winning set Pure ^((^) (which is equal 
to Surej'^(^) by Corollary 1) is given in [dAFH+03]. The //-calculus formula uses the controllable predecessor 
operator for player 1, CPrei : 2'^ i->- 2'^ (where S = S"^), defined formally by G CPrei(Z) iff 3mi G rICs) Vm2 G 
r2{'s) . Sj^{'s, mi,m2) Q Z. Informally, CPrei(.Z) consists of the set of states from which player 1 can ensure that 

the next state will be in Z, no matter what player 2 does. The operator CPrei preserves regions of 7 (this 
follows from the results of Lemma 3). It was also shown in [dAFH"'"03] that only unions of regions arise in the 
/Lt-calculus iteration for C(j-regular location objectives. 

We now present a lemma that pure finite-memory strategies suffice for winning w-regular objectives, and all 
strategies region-equivalent to a region winning strategy are also winning. 

Lemma 5 (Properties of pure winning strategies). Let 7 be a timed automaton game and 7 be the cor- 
responding enlarged game structure. Let0 be an uj-regular location objective of 7. Then the following assertions 
hold. 

— If -K is a player-1 pure strategy that wins against all player-2 pure strategies from state 's, then tti wins 
against all player-2 strategies from state s. 

— There is a pure finite-memory region strategy tti that is sure winning for h from the states in Sure ^(#) . 

— If TTi is a pure region strategy that is sure winning for $ from SureJ(<P) and Tr[ is a pure strategy that is 
region-equivalent to tti, then Tr[ is a sure winning strategy for # from SureJ(<P). 

Proof. 1. Since tti wins against all player 2 pure strategies, it must also win against all player 2 strategies 
(possibly randomized) from s (a randomized player-2 strategy may be viewed as a random choice over pure 
player-2 strategies). 

2. It follows from the //-calculus formulation of [dAFH+03] that there exists a pure finite- memory region 
strategy tti that wins against any pure player 2 strategy from the states in PureJ(<P). Prom the previous 
result, TTi wins against all player 2 strategies (possibly randomized) from Pure^ (#). The claim is proved 

noting that Pure ^(#) = Surei (<P) from Corollary 1. 

3. Let VTi be a pure region strategy that is sure winning for 'P from a state s. Let vrj be a player-1 pure strategy 
that is region equivalent to vri . The strategy 7r| is a region strategy as tti is a region strategy. We show that 
TT* wins against all player-2 pure strategies. The result then follows from the first part of the lemma. 




if r[0../c] = r*[0..k] 

otherwise, with {A2,a2) being in the support of 7T2{r[0..k]) 



not in #. 



□ 
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Consider any player-2 pure strategy 7r2. Suppose 712 spoils the player-1 strategy tt^ from winning for ^ . 
Then, there from the state s there exists a run r* = %, (m°, m^), {m\,m2), ■ ■ ■ with = 7r*(r *[0..A;]) 
and 1712 = 7r2(f *[0..A;]) such that r* ^ <P. Wc show that there exists a player-2 pure strategy 7r| and a 
run S Outcomes(s, tti, 7r2) with Reg(r*) = Reg(r^) (contradicting the assumption that tti was a player- 
1 winning strategy). Intuitively, the strategy tTj prescribes moves to the same regions as tt2 if the region 
sequence observed is the same as that of Reg(f*). Formally, the strategy 7r| is defined as follows. Given a 
run r , 

' (Z\2,a2) if Reg{r[0..k]) = Reg{r*[0..k]), and 7r|(f *[0../c]) = (Z\J,ai), and 
7r2(f*[0..A;]) = {A2,a2), and Z\* 1x1 A2 for 1x1 G {<,>,=}, and 
^i(f[O..A;]) = {Ai,ai) with Reg(f[A:] + Ai) = Reg(f*[A;] + A^) 
(observe that vri is a region strategy and vr^ is region equivalent to vri), 
and A2 is such that Reg(f[A:] + A2) = Reg(f*[fc] + /A^) and Ai cxi A2 
(such a A2 must exist by Lemma 3.) 
(0, ±2) otherwise. 

It can be checked that there exists a run G Outcomes(s, tti, vri) such that Reg(f^^) = Reg(f*). This 
contradicts the fact that tti was a winning strategy. Thus, there cannot exist a player-2 pure strategy 7r2 
which prevents the player-1 strategy tt* from winning. Hence, from the first part of the Lemma, is a 
player-1 winning strategy. □ 

Note that there is an infinitely precise global clock z in the enlarged game structure T. If T does not have 
such a global clock, then strategies in T correspond to strategies in T where player 1 (and player 2) maintain 
the value of the infinitely precise global clock in memory (requiring infinite memory). 

3 Pure Finite-memory Receptive Strategies for Safety Objectives 

In this section we show the existence of pure finite- memory sure winning strategies for safety objectives in 
timed automaton games, and their memory requirements. The encoding of time-divergence in Subsection subsec- 
tion:ResultsTimedAutomatonGames required an infinitely precise which had to be kept in memory of player 1, 
requiring infinite memory. In this section, we derive an alternative characterization of receptive strategies which 
does not requires this extra clock. The characterization of receptive strategies is then used to derive receptive 
strategies for safety objectives. We also show that our derived winning strategies for safety objectives require 
only (|C| -I- 1) memory (where C is the set of clocks of the timed automaton game). 

3.1 Analyzing Spoiling Strategies of Player 2 

In this subsection wc analyze the spoiling strategies of player 2. This analysis will be used in characterizing the 
receptive strategies of player 1. 

Adding predicates to the game structure. We add some predicates to timed automaton games; the 
predicates will be used later to analyze receptive safety strategies. Given a timed automaton game T and a 
state s of 1, we define two functions V>o : C h-)- {true, false} and V>i : C {true, false}. We obtain 2 • \C\ 
predicates based on the two functions. For a clock x, the values of the predicates Vyo{x) and V>i{x) indicate 
if the value of clock x was greater than 0, or greater than or equal to 1 respectively, at the transition point, 
just before the reset map. For example, for a state = {IP,kP) and 5(s^, {A,ai)) = s, the predicate V>o(x) 
is TRUE at state s iff k'{x) > for k' = kP + A. Consider the enlarged game structure 7 with the state space 
S = S X {true, false} X {true, false}*-^ X {true, false}^ and an augmented transition relation S. A state 
of T is a tuple {s, bli, V^q, V>i), where s is a state of 7, the component bli is TRUE iff player 1 is to be blamed 
for the last transition, and V>o, V>i are as defined earlier. The clock equivalence relation can be lifted to states 
of T : (s, bh,Vyo, V>i) (s', bl[,V^Q, V^^) iff s ^7 s', bh = bl[, V^o = l^>o and V>i = V^^. We next present 



7r^(f[0..A;]) = <^ 
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a finite state concurrent game 7^ based on the regions of 7 which will be used to analyze spoiling strategies of 
player 2. 

Finite state concurrent game 7^ based on the regions of 7. We first show that there exists an finite 
state concurrent game T*^ which can be used to obtain winning sets and winning strategies of T. The two ideas 
behind T'^ arc that (1) only region sequences are important for games with tj-regular location objectives, and 
(2) only the destination regions of the players are important (due to Lemma 3). Formally, the game 7^ is defined 
as the tuple {S^, M[, M^, r[, r^,6^) where 

— is the set of states of T-^, and is equal to the set of regions of 7. 

— M[ for i G {1,2} is the set of moves of player-i. 

• M[ = {{R, ai) I i? is a region of T, and ai € ^i"}- 

• M2 = {{R,a2,i) I -R is a region of T, i G {1,2}, and 02 G ^2"}- 

Intuitively, the moves of player-i denote which region it wants to let time pass to, and then take the discrete 
action aj-. In addition, for player 2, the denotes which player's move will be chosen should the two 
players propose moves to the same region. Recall from Lemma 3 that in such a case, it is up to the scheduler 
to decide which player's move to "win" in a run. Here, the scheduler is collaborating with player 2. 

— for i e {1, 2} is the move assignment function. Given a state R e , we have r[{R) to be the set of 
moves available Jo player i at^tate R. _ _ 

• rf{R) = {{R', ai) I 3 s G i? such that player 1 has a move {A, ai) in T from J with Reg(3' + A) = R'}. 

• r2{R) = {{R',a2,i) I 3s G -R such that player 2 has a move {A,a2) in 7 from s with Reg(s + A) = 
^' and i G {1,2}}. 

— The transition function is specified as d^{R, {Ri,ai), (i?2,a2,0) = 

R' if Ri R2, R2 is a time successor of Ri, and 3 si G i?i such that (0, ai)) e R' 

R' if Ri 7^ -R2, Ri is a time successor of R2, and 35*2 G -R2 such that (5^(s2, (0, 02)) G R' 

R! if Ri= R2, i = l and 3 si G such that 5^(51, (0, ai)) G R' 

R! if Ri=R2, 1 = 2 and 3S'2 G ^2 such that 5^{s2, (0, 02)) G R! 

Note that given playcr-1 and player-2 pure strategies -kI^ and tt^^, and any state R, we have only one run 
in Outcomes(i?, TTj'^'^, ttJ'^). 

Mapping runs and states in 7 to those in 7^ using RegMap() and RegStates(). Given a run r = 
So, ('Tii,m2), Si, {ml, ml), ... of T, we let RegMap(r) be the corresponding run in 7^ such that the states in r 
are mapped to their regions, and the moves of 7 are mapped to corresponding moves in T*^. Formally, RegMap(r) 
is the run Reg(?o), i^i'^ ,'^2'^), R6g(?i), (m}'*^, mg"^), ... in T'^ such that for = (Z\i,a{) and = (Z\^,a{) 
we have (1) m^'^ = (Reg (^j + ,a{), and (2) m-i^^ = (Reg (^j + ^2) ^'^2'^) '^^^^ i = 1 if Z\{ < A^, or 
A-[ = A2 and Sj+i = (5(sj,mj) (i.e., the scheduler picks player 1 in round j); otherwise i = 2. Given a set of 
regions X of T (i.e., X is a set of states of 7^), let RegStates(X) = {s | s G U^}- 

We have the following lemma which states the equivalence of the games T*^ and 7 with respect to the CPrei 
operator of the /x-calculus formulation mentioned in Section 2. 

Lemma 6. Let 7 be a timed automaton game, 7 the expanded game structure as mentioned above, and 7^ 
the corresponding finite state concurrent game structure. If X is a set of regions of 7, then CPre^(|J X) = 
RegStates (cPrel' (X)^ 

Proof. The proof follows from Lemma 3. □ 

Lemma 7 (Relating sure winning sets in 7 and 7). Let 7 he a timed automaton game, 7 the expanded 
game structure as described above, and 7^ the corresponding finite state concurrent game structure. Let <P be 
an uj-regular location objective of 7 (and naturally also of7^). We have Sure^(<P) = RegStates [ Sure j^ (<^)J . 
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Proof. Only unions of regions arise in the ;u-calculus iteration for computing winning sets in 7 for ^-regular 
objectives. The proof follows from the fact that equivalent sets of states arise in the /x-calculus iteration for 
computing the winning sets in both game structures due to Lemma 6. Corollary 1 gives us the equivalence 
between Pure ^ and Sure^ sets. □ 



Obtaining a Class of Spoiling Player-2 Spoiling Strategies in 7 Using the Game Structure 7 . 

We use the finite state game 7^ to analyze the spoiling strategies of player 2 for any given playcr-1 strategy tti 
in T. To do this analysis, wc (1) map any playcr-1 strategy vri in T to a corresponding playcr-1 strategy nf in 
T*^; and (2) map any player-2 spoiling strategies in 7^ against vrf to a class of player-2 spoiling strategies in 7, 
all of which will be spoiling against tti . 

We first present the next Lemma which states that for every run of T*^, there exists a run of 7 that has an 
equivalent region sequence. 

Lemma 8. Let 7 be a timed automaton game, 7 the expanded game structure as described previously, and 7^ 
the corresponding finite state concurrent game structure. For every finite runr^ of 7^, there exists a finite run 
ofr of 7 such that RegMap(r) = r^ . 

Proof. Let r"^ be any given finite run of 7^. We show by induction on the number of steps in f that there 
exists a finite run of r of T such that RegMap(F) = . Let the inductive hypothesis be true for all runs with at 
most j steps. Let r^ contain j + 1 steps. By inductive hypothesis, there exists a finite run r* with j steps such 
that RegMap(f*) = r^[0..j]. 

Let r^[0..j + 1] = f "^[O-.j], {{R{,a{), (i?2, i))^^^ ■ Since Reg (r = r^[j], we have by Lemma 3, and by 
the construction of 'J'^ that (1) there exists a player-i move {Ai^a^) from r*[j] such that Reg(r*[7] -|- = Rl 
for i G {1, 2}, and (2) for some s* G (5jd(r (Z\i, a{)(Z\2, a{)), we have Reg(S'*) = r^\j + 1]. Thus, the run r* 
can be extended to r by one more step such that r has the desired properties. □ 



Mapping player-1 strategies in 7 to player-1 strategies in 7 . Let FinRuns"^'' be the set of finite runs of 
7^ . A set of finite runs O of T is said to cover FinRuns''^ if for every (finite) run r^ G FinRuns"^ , there exists 
a unique finite run r G O such that RegMap(r) = r^ . There exists at least one such run-cover O by Lemma 8. 
Abusing notation, we let 0{r^) denote the unique run r G O such that RegMap(r) = r^ . Given a player-1 pure 

strategy tti in T, and a run-cover O of FinRuns^'', we obtain the mapped player-1 pure strategy in 7^ , denoted, 
lP'^(7ri), as follows. 

.po. .w^Fx f(^'«i) such that TTi (O (fF)) = (/Ai,ai), and Reg{0 [7^) [k] + A^) = R 
\ V^i))\T ) I (where O (f [A;] is the last state in ©(f"")) 

Intuitively, the strategy F'-'(7ri), on the finite run r acts like tti on the finite run O (?) (i.e., the move is to 
the same region, with the same discrete action). 

Mapping player-2 pure strategies in 7 to player-2 pure strategies in 7. We now map any given 
player-2 pure strategy -k^^ in T*^ to player-2 pure strategies in 7. This mapping will depend on a given player-1 
pure strategy vri in 7 (the strategy vri will be given as a parameter). Given a player-2 pure strategy vr^'' in 
T*^, and a player-1 pure strategy vri in T, wc define a set of player-2 pure strategies in 7. The set, denoted as 
TSet7ri(7rJ ), is defined as containing all player-2 pure strategies tt2 in 7 satisfying the following condition: given 
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any run prefix r[0../c] in 7, with iTi{r[Q..k 



(Z\i,ai), the strategy 112 satisfies Equation 1. 



7r2(f[0..A;]) = < 



(1) 



such that A2 < Ai and Reg(r[A:] + A2) = R2; if 

(1) 7rf (RegMap(f[O..A;])) = (^2,02,^), and 

(2) Reg(r[/i;] + Z\i) is a time successor of R2 

(Z\2,a2) such that A2 > Ai and Reg(f[A:] + A2) = R2', if 

(1) ^r(RegMap(f[O..A:])) = (-^2,02,0, and 

(2) i?2 is a time successor of Reg(r[A;] + Ai) 

(Z\2,a2) such that A2 > Ai and Reg(f[A;] + A2) = R2; if 

(1) 4'(RegMap(f[0..A:])) = (i?2,a2,l), and 

(2) Reg{¥[k] + Ai) = R2 
{A2,a2) such that A2 < Ai and Reg(f[/c] + A2) = R2; if 

(1) 4'(RegMap(f[0..A;])) = {R2,a2,2), and 

(2) Reg(f[fc] + Ai) = R2 

Intuitively, a strategy 7r2 in TSetjri (^2 ) picks a move of time duration bigger than that of tti if the strategy 
712'' in 7^ allows a corresponding player-1 move (Reg(r[/s] + Ai),ai). Otherwise, the strategies 7r2 pick a move 
of shorter duration. 

Player-2 spoiling strategies set Spoil'^(7ri, '^''^^) in CT. Given a player-1 pure strategy vri in T such 
that TTi is not a winning player-1 strategy from a state s (for some a;-regular location objective # of "J), we 
now obtain a specific set of player-2 spoiling pure strategies in T against tti from s . The set is denoted as 
Spoil'^(7ri, ''^''^^), where O is a runcover of FinRuns^ , and tt"^ '^'^^ is a given playcr-2 spoiling pure strategy 
against (vri) in T*^ for the same objective (P, for the starting state Reg(s). We observe that some player-2 
spoiling pure strategy '^''^^ must exist by Lemma 7 and Corollary 1. The set Spoil'^(7ri, '^''^^) of player-2 
spoiling pure strategies for vri is defined to be equal to TSet7rj(7r2 ''^''^^). 

The next Lemma relates spoiling playcr-2 strategies in 7^ and 7 (the proof is by an involved induction 
argument). The intuition behind the Lemma is that given a state s ^ \N\nJ{4>), we have that (a) Reg(s) ^ 
winj'^ (0); and (b) player-2 can obtain spoiling strategies for any player-1 strategy tti in T by prescribing moves 
to the same regions as the player-2 spoiling strategy in 7^, which spoils F'^ (tti) (for some suitably chosen O). 
This result will be used in the next subsection to show that receptive player-1 strategies must satisfy certain 
requirements. 

Lemma 9 (Relating spoiling player-2 pure strategies in T and T) . Let 7 be a timed automaton game, 

7 the expanded game structure, and 7^ the corresponding finite state concurrent game structure. Given an 
u-regular location objective <P of player 1 (in7 and 7^ ), the following assertions hold. 

1. se PureJ (#)_ iff Reg(S) G Puref (#) . 

2. Let s ^ Pure ^(#). Given any player-1 strategy tti in 7 there exists a runcover O of FinRuns^ such that for 

any player-2 pure spoiling strategy tt^ ''^''^^ against (tti) in 7^ from the state Reg(s) for the objective (p 
(such spoiling strategies exist by the previous part of the lemma); we have that every player-2 strategy in 

Spoil'^(7ri, 7r2 ''^''^^) is a spoiling strategy against vri in the structure 7 for the objective <P from the state s. 

Proof. 1. Only unions of regions arise in the /i-calculus iteration to obtain winning sets of player 1 for the 
objective <P in the game structure T. Using Lemma 6 in the /^-calculus iteration for obataining the player-1 
winning set for we deduce that s € PureT(^) iff Reg(3) & Pure j'^ (<P). 
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2. By the first part of the lemma, we have that Reg(s) ^ PureJ {(p). Thus, given any runcover O, there exists 
a pure player-2 spoiling strategy ^2 '^'^^ against F'-' (tti) in 7^ from the state Reg(3) for the objective 
We show that there exists a runcover O of FinRuns^'' such that given any pure player-2 strategy ''^'^^ which 
spoils F^ (tti) in 7^ from winning the objective starting from Reg(S), and given any player-2 strategy 7r2 
from Spoil'^(7ri, '^''^^) in 7, there exists a run r* G Outcomes(i', tti, 772) in 7, such that the region sequence 
of r* is the same as the sequence of regions in the (only) run from Outcomes ( Reg(s),¥^ (tti) jTT^ '^'^'^y 

This proves the Lemma due to the following: since tt^ '^'^^ is a player-2 spoiling strategy against F^ (tti), 
we must have that Reg(r*) satisfies -1^, and hence r * satisfies -1^ implying 7r2 to be a spoiling strategy of 
player 2 in T against vri. The proof of the statement is by an involved induction. □ 

3.2 Characterizing Receptive Strategies Without Using Extra Clocks 

We now present characterizations of receptive strategies Jn timed automaton games, and show that receptiveness 
can be expressed as an LTL condition on the states of 7, from which it follows that receptive strategies require 
finite memory in timed automaton games. First, wc consider the case where all clocks are bounded in the game 
(i.e., location invariants of the form AseC^ — locations). 

Lemma 10 (Receptive strategies when all clocks bounded in CT). Let 7 be a timed automaton game in 
which all clocks are bounded (i.e., for all clocks x we have x < dx, for constants dx in all reachable states). Let 
7 be the enlarged game structure obtained from 7. Then player 1 has a receptive strategy from a state s of 7 iff 
(s, •) G SureT(^), where 

If \ / °^ ^^^1 = ^ Axec(^>o(^) = TRUE) 

^ = □0(6Zi = true) ^ a '^^^^ = 0) p\ V 

\\x&c ) \ □0(6/1 = false) a Va;ec(^>i(^) = true) 

Proof. We prove inclusion in both directions. 

1. (^). For a state s G Sure^ (<?), we show that player 1 has a receptive strategy from s. Let vri be a pure sure 
winning region strategy: since <P is an w-regular region objective such a strategy exists by Lemma 5. Consider 
a strategy tt^ for player 1 that is region-equivalent to tti such that whenever the strategy tti proposes a move 
(Z\, ai) for any run prefix r[O..A;] with r[A;] + Z\ satisfying /\x,=ci-^' > 0)' then tt[ proposes the move {A' , ai) for 
r[0..k] such that Reg(r[fc] + Z\) = Reg(r[fc] + Z\') and r[k] + A' satisfies (Vj^ec y > 1/2) A /\xeci^ > 0)- ^^^^ ^ 
move always exists; in particular, for any state s, if there exists A such that s-l- A e Axec(^ *^)' ^^^^ 
there exists A' such that 5 + A' E R H {{Vy^c V > V^) /\ Axec(^ ^ '-'))• Intuitively, player 1 jumps near 
the boundary of R. By Lemma 5, vr^ is also sure- winning for The strategy it[ ensures that in all resulting 
runs, if player 1 is not blameless, then all clocks are infinitely often (since for all clocks □0(a; = 0)), and 
that some clock has value more than 1/2 infinitely often (either due to player 1 ensuring some clock being 
greater than 1/2 infinitely often; or player 2 playing moves which result in some clock being greater than 1 
infinitely often).. This implies time divergence. Hence player 1 has a receptive winning strategy from s. 

2. (=>). For a state s ^ Surej^(#), we show that player 1 does not have any receptive strategy starting from 
state s. We have = (□0(6/i = true)) A (-•iP'i V {^^2 A -'!f'2)), where 



ntf'l = y oa{x>0) 

-itz/t = on ^(^/^ = true) ^ ^ V (^>o(^) = false)^ ^ 
niz^t ^ on ^(6Zi = false) ^ ^ a (^>i(^) = false) j j 
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Recall the finite state game 7^ based on the regions of T. Suppose J ^ Sure^(^). Then s ^ Pure ^ by 
Corollary 1. Consider any pure player-1 strategy vri in T. By Lemma 9, Reg(s) ^ Pure ^'"(^), and there exists 
a runcover O for FinRuns"^"" such that for any player-2 pure spoiling strategy ttJ against (tti) in 7^ 
from Reg(S), we have that every player-2 strategy in Spoil'^(7ri, is a spoiling strategy against tti in the 
structure 7. 

Let O be such a runcover, and let vTg^ be any such player-2 strategy against (tti) in 7^ from Reg(s). 
We show that with an appropriately chosen 7r2 in SpoiP(7ri, '^), player 2 can ensure that in one of the 
resulting runs, player 1 is not blameless, and time converges, and hence player 1 does not have a receptive 
pure strategy in 7. The result follows from observing that if player 1 does not have a pure receptive strategy, 
then it does not have a (possibly randomized) receptive strategy (as a randomized strategy may be viewed 
random choice over pure strategics). 

Consider runs r G Outcomes(?, vri, 7r2) for 7r2 G Spoil^(7ri, ''). One of the runs must satisfy ->0, which can 
happen in one of the following ways. 

(a) (□0(6/i = true)) a -^W'l. The condition -^^l means that there is some clock x which eventually stays 
strictly greater than 0. Since all clocks are bounded, this condition means that the run is time convergent, 
and player 1 is not blameless. 

(b) (□0(6/i = true)) a -i'f'2 A -'•f'3. The clause -■lP'2 means that eventually if an action of player 1 is chosen, 
then for some clock x, the value of x stays at throughout the move (which means that the move of 
player-1 is of duration 0). This clause means that eventually if an action of player 2 is chosen, then 
for every clock x, the value of x is strictly less than 1 during the move. 

Player 2 can have a strategy which takes moves smaller than 1/2-^ during the j-th visit to a region R in 
which every clock x has value less than 1. We formalize the above statement. The strategy ttJ spoils 
F^ (tti) from winning in 7^ for the objective #. Given a run prefix f [0..A;] of 7, let 7ri(f[0..A;]) = {Ai,ai). 
Consider a player-2 strategy 172 in SpoiP(7ri, 7r2 ""), and let 7r2 ''(RegMap(f[O..A;])) = {R2,a2,i)- Let 7r2 be 

a strategy in Spoil'^(7ri, 7r2 '') such that for 7r2((r[0..A;]) = {A2,a2) we have A2 < Ai and A2 < 1/2^ 
whenever the following conditions hold. 

i. For every clock x, the value of x is strictly less than 1 in R2. 

ii. Either 

A. R2 is a region predecessor of Reg(r[/u] -|- A])\ or 

B. i = 2 and Reg(r[A;] + Ai) = R2. 

It can be observed from Equation 1 that such a A2 and such a strategy 7^2 in Spoil'^(-7ri, VTg '') always 
exist. The above condition ensures that if a move of player 2 is chosen to a region R in which every 
clock X has value less than 1, then the moves are smaller than 1/2-^ during the j-th stage of the game. 
The strategy 1^2 is a spoiling strategy against tti by Lemma 9 as 1^2 is in Spoil'^(7ri, ttJ ''). Moreover, this 
strategy ensures that at least one of the resulting runs r satisfies -i<P. 

i. If r satisfies (□0(6Zi = TRUE)) A -^^i, then the run is time convergent, and player 1 is not blameless. 

ii. If f satisfies (□0(&/i = true)) A -^^2 A -■'^'3, then we have that: 

A. Eventually, every chosen move of player 2 results in a region R in which every clock x has value 
less than 1, with the duration of the player-2 move being smaller than 1/2-^ during the j-th stage 
of the game; and 

B. Eventually every chosen move of player 1 is of time duration 0. 
Thus, time is convergent in the run r and player 1 is not blameless. 

Hence, player 1 does not have a pure receptive strategy from s (from which it follows that it does not have 
any receptive strategy from S). □ 

We next present a couple of examples to demonstrate the role of the various clauses in the the formula <P of 
Lemma 10. 
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al,aj 

X = 3 X := 0, y := 




:=0,y :=0 



l>yAa;>0^y:=0 




l>xAy>0-)-x:=0 
Fig. 2. A time automaton game Ti with player-1 receptive strategies. 




Fig. 3. Two trajectories of the cycle (a?, 02) traversing through two regions of Ti. 

Example 1. Consider the timed automaton game in Figure 2. The edges a\ are player-1 edges and player-2 
edges. The edges a\ and a\ have the same guards and reset maps. It is clear that player 1 has a receptive 
strategy when at location ^3; it repeatedly takes (or tries to take) the edge a\. Let us hence focus our attention 
on plays which consist of [hjh) cycles (i.e., player 2 picks the edge from location I2, and allows player 1 
to take the edge a\ from location li). Let the starting state satisfy (a; < 1) A (y < 1). In a run which consists 
of (lijh) cycles, we have that (1) both clocks are reset infinitely often, and (2) both clocks are greater than 
infinitely often when the edge is taken (this is because the condition on the edge 02 ensures that clock y is 
greater than when at location Zi, and the edge condition on further ensure x > when edge a° is taken). 
Thus, a run of (^i, I2) cycles satisfies the formula of Lemma 10. We next illustrate why such a run would be 
time-divergent (with appropriate chosen player-1 moves for the edge a^). 

Observe that after one (hjh) cycle, the states always satisfy 1 > a:; > y > when at ^i, and 1 > y > a; > 
when at l2- Figure 1 illustrates two paths through these two regions after at least one {hjh) cycle. Note that 
the transitions into the region 1 > x > y > are controlled by player 2, and those into 1 > y > x > controlled 
by player 1. In the second trajectory, player 1 is not able to take transitions which make the clock x more 
than 1/2; but it is able to ensure that the clock y is more than 1/2 infinitely often. Since the clock y is more 
than 1/2 infinitely often and is also reset infinitely often, time diverges (we will present a more formal proof 
of time divergence of the run shortly). It is easy to construct another timed automaton T* in which player 1 
can only ensure that clock x is more than 1/2 infinitely often. It can then be seen that the automatons Ti 
and T* can be "combined" by a player-2 action so that player 1 can only ensure that some clock is more than 
1/2 infinitely often; it cannot ensure that any one particular clock will satisfy this property. To ensure time 
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X = 3 X := 0, y := 




:=0,y :=0 



l>yAa;>0^y:=0 




Fig. 4. A timed automaton game T2 without player-1 receptive strategies. 



divergence, player 1 hence also needs to ensure that all clocks are reset infinitely often (as it does not know 
which clock will be more than 1/2 infinitely often). 

We now formally show time divergence of the runs shown in Figure 1. Let the duration of the j-th player 2 
move be The value of the clock y is then A2 when location li is entered for the j-th time, after the j-th 03 
move. Player 1 picks its j-th move to be of duration 1 — A2 + £■ Thus, in one cycle time passes by 1 — £ time 
units. With e < 1, it can be seen that time diverges. □ 

Example 2. In this example we illustrate why we require in the formula ^ of Lemma 10 that if □0(6Zi = 
true) a Axec(^>o(-^) ~ true) docs not hold, then U<}[hli = false) A Vxec(^>i(-^) ~ true) must hold. 
Consider the timed automaton game T2 in Figure 4 The edges are player-1 edges and player-2 edges. 
The edges a| and af have the same guards and reset maps. It is clear that player 1 has a receptive strategy 
when at location ^3; it repeatedly takes (or tries to take) the edge af. Hence, player 2 keeps the game in 
the {Ii,l2,l4:)- For the j-th 03 and the j-th move, player 2 chooses a time duration of 1/2^. Player 1 is 
forced to take the move (of time duration 0) when at location I4. In this cycle with such a strategy by 
player 2, we have that (1) all clocks are reset infinitely often, (2) the moves of player 1 are picked infinitely 
often, and (3) all clock values are greater than infinitely often (i.e., DO /\^g(^(y>o(x) = true) holds). But, 
time converges in such a run (and thus player 1 does not have a receptive strategy). The states in hjhih 
(with X < 1 A y < 1) do not satisfy <P of Lemma 10 because even though DO /\^g^(F>o(x) = true) holds, 
□0(6/1 = true) a /\xec(^>o{^) = true) does not hold. As this example shows, if player 2 picks moves to 
satisfy Aa;ec(^>o(^) = true), then it can choose arbitrarily small moves. That is why require that if we are 
considering player 2 moves, then Vi;ec(^>i(^) ~ true) must hold infinitely often. □ 

Characterization of receptive strategies for general timed automaton games ([CHP08]). Lemma 10 
was generalized to all timed automaton games in the following lemma presented in [CHP08]. The idea of the 

generalization is to identify the subset of clocks which "escape" to infinity; and then to take a disjunction over 
all such possible subsets. Note that once a clock x becomes more than Cx, then its actual value can be considered 
irrelevant in determining regions. If only the clocks in X C C have escaped beyond their maximum tracked 
values, the rest of the clocks still need to be tracked. 

Lemma 11 ([CHP08]). Let 7 be a timed automaton game, and T be the corresponding enlarged game. Then 
player 1 has a receptive strategy from a state s iff {s, •) € Sure! (^*), where #* = DO(bli = true) — > Vxcc 't'x, 
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and (f)x = 



/\ Oa{x > c^) A 
^xex J 



□0(X = 0) 



A 



^no (^{bh = true) a A^(.c\xiV>oix) = true)) ^ 

V 

^nO (^{bh = TRUE) A Vx6C\x(^>l(^) = TRUE)) ^ 



New characterization of receptive strategies for general timed automaton games. We shall see 
later that player-1 strategies which win for the objective #* of Lemma 11 have a bound of (|C + l])^'*^' for 

the number of memory states required. Wc present a new characterization of receptive strategies for which 
we can prove a memory bound of only (|C| + 1). First, wc need to add \C\ predicates to the game structure 
7. For a state s of T, we define another function F^max • i-)- {true, false}. The value of the predicate 
^>max(^) fo'^ ^ clock X G C is TRUE at a state s iff the value of clock x is more than Cx, and was more 
than Cx in the previous state. That is, if a state = (P,k^) and 5{s^, {A,ai)) = s, then at the state s, the 
predicate V^>max(^) is true iff' k'{x) > Cx for k' € {k^ + A' \ < A' < A}. Let T be the enlarged game 
structure similar to T with the state space being enlarged to also have V^^^^^ values (in addition to V>o and 
V>i values): S = S x {true, FALSE} x {true, false}'-' X {true, false}'^ X {true, false}*^. a state of T is a 
tuple {s, bli, y>o, V>i, V^j^g^), where s is a state of T, the component bh is TRUE iff player 1 is to be blamed 
for the last transition, and V^o, F>i, VJJmax as defined earlier. A finite state concurrent game T*^ analogous 
to T'^ can be constructed, and results analogous to Lemmas 6, 7 and 9 hold for the structures "J and 'J'^. 
First we present the following technical Lemma which will be used later. 

Lemma 12. Let 7 be a timed automaton game, and 7 be the corresponding enlarged game. A run r in7 satisfies 

/\ = 0) V OaiV;^^ix) = TRUE)) 

xeC 

iff it satisfies 

/\ DO {{x = 0) V iV;^^{x) = TRUE)) . 
xeC 

Proof. We prove inclusion in both directions. 

1. (^). Suppose a run r in satisfies f\^^^ {nO{x = 0) V On(V"~Jj^jjx(-^) = true)). Consider a clock 
a; G C. If either □0(a; = 0) or On(V'-^niax(^) = TRUE) holds on r, it can be seen that 
no {{x = 0) V {V*^^^{x) = true)) holds on r. 

2. {<=). Suppose a run r in T satisfies AxeC '-'^ ((^ = 0) V (V-^rnaxi^) = true)). Consider a clock x e C. We 
must have either □0(.x = 0) or □^(^>max(2^) = true). If □<>(x = 0) on the run r, then it satisfies our 
requirement. Wc show that if run f satisfies n^(V^max(^) — TRUE); then it must satisfy cither = 0) 
or ^n(V^>max(^) = true). This is because the only way for the value of a clock to decrease is to be reset to 
0. In particular, once the clock x becomes more than Cx, the only way for it to become less than or equal 
to Cx is to be reset to 0. If the clock x becomes more than Cx and is never reset, it will stay more than Cx 
forever. □ 

Lemma 13 (Receptive strategies when clocks may be unbounded in T). Let 7 be a timed automaton 
game, and 7 be the corresponding enlarged game. Then player 1 has a receptive strategy from a state s of 7 iff 



18 



(s, •) G Sure j^(^t)^ where = □0(5ii = true) 'F^ , and = 

f (A.ec °0 ((^ = 0) V {V*^^{x) = TRUE))) 

A 

/aO {{bh = TRUE) A (A.ec(^>0(^) = TRUE)) A (V.ec(^>max(^) = FALSE)) ) \ 

V 

\ \ DO ( {bh = FALSE) A Va.eC ((^>l(^) = ™UE) A {V;^^,{x) = FALSE)) ) / / 

V 

(Ax€C^°(^>ma.(^)=™UE)) 

Proof. We prove inclusion in both directions. 

1. (<^). For a state s G Sure^(<P'^), we show that player 1 has a receptive strategy from s. Let tti be a pure sure 
winning region strategy: since is an w-regular region objective such a strategy exists by Lemma 5. Let 
i?inax denote the region where for every clock x, the value of x is more than c^- Consider a region strategy 
ir'i for player 1 that is region-equivalent to tti such that given a run prefix r[0..fe], the strategy 7r[ acts like 
TTi except when: 

- If Reg(r[A;]) = i^max and 7ri(r[0..A;]) = {A,ai), then Tr[{r[(}..k]) = {A',ai) such that A' > 1 (observe that 

Reg{r[k] + A') = R 

max for any A''). 

— If Reg(r[fe]) ^ Rmax and 7ri(r[0..fe]) = {A,ai) with the state r[k] + A being such that the value of some 
clock x is less than or equal to Cx but more than 0, then 'K[{r[0..k]) = {A',ai) such that (1) Reg(f[A;] + 
A') = Reg(r[A;] + A), and (2) the value of some clock y (possibly different from x) is less than Cy at r[k], 
and is more than 1/2 at r[k] + A' (intuitively, tt[ jumps near the region boundary of Reg(r[/j] + ^))- 

We have #t = (-.□0(6ii = true)) V (^(^^l A (^^^ V iF]^ j V <Z/]j , where 

= A °^ ((^ = 0) V (^>*max(^) = TRUE)) 

= DO Ubh = TRUE) A [ /\ (ISo(x) = TRUE) J A ( \/ {V;^^{x) = FALSE) J J 

= DO I {bh = FALSE) A y {{V>i{x) = true) A {V*^^{x) = FALSE)) | 

= A ^°(^>max(a;) = TRUE) 
x€C 

Given any player-2 strategy 7r2, consider any run r G Outcomes(s, tt^, •7r2). The run r must satisfy One 
of the following conditions must be satisfied on the run r. 

(a) On{bh = false). This satisfies the receptiveness condition. 

(b) {nO{bh = true)) a This means that in the run f, every clock x eventually becomes greater than 
Cx', and moves of player 1 are chosen infinitely often. Since the strategy tt'^ chooses moves of duration 
greater than 1 when staying in -Rmax, time diverges in the run r. 

(c) {{aO{bh = true)) a ^tZ/]) /\ (^^l A (^^l V 5^3)) • The constraint -i»?4 means that, there is some clock x 
which is less than Cx infinitely often. Satisfaction of the constraint and Lemma 12 imply that 

/\ {ao{x = 0) V oa{V*^^{x) = true)) 

xec 
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must be satisfied on the run f. That is, each clock x which is not eventually always greater than must 
be infinitely often. Also, the run must satisfy either ^2 oi" ^t- 

Suppose we have the first case (i.e., holds). Then, for infinitely many k, player-1 moves are chosen 
from f[O..A;] such that for some clock x, we have (1) the value of the clock x is less than Cx at r[k] 
(note that if the value of x is less than Cx at some point during the move, then it must be less than 
Cx at the origin), and (2) for 7r^(f[0..A;]) = {A' ,a\), the value of the clock x at f[k] + A' is more than 
0. Because of the design of vr^, this means that for infinitely many k, there is some clock y such that if 
7r^(r[0../c]) = (Z\', oi) then, (1) the value of clock y at r[k] is not more than Cy^ and (2) the value of clock 
y is more than 1/2 at f[k] + A' . Since the clock y must also be equal to infinitely often (as it is not 
more than Cy eventually from above, and due to iF|), this implies that time diverges. 
Suppose we have the second case (i.e., 1P3 holds). Then, for infinitely many k, player-2 moves are chosen 
from r[0../c] such that for some clock x, wc have (1) the value of the clock x is less than Cx at r[k], and, 
(2) for 7r2(r[0..A;]) = (Z\2, 02), the value of the clock x at f[k] + A2 is more than or equal to 1. Since the 
clock x must also be equal to infinitely often (as it is not more than Cx eventually from above, and due 
to^l), this implies that time diverges. 

Thus, in all cases, the strategy Tr[ ensures that either player 1 is not to blame, or time diverges. Hence, Tr[ 

is a receptive strategy from s. 
2. (=>). For a state s ^ Sure jjfp"^), we show that player 1 docs not have any receptive strategy starting from 

state s. We have -^^^ = {DO{bli = true)) A -■ ((^l A (tf'] V tf']) ) V ^Ij, where ^l,^^,^^ and are as 



defined previously. Simplifying, we get ^^'^ = (□0(6li = true)) A (^-^^l V (^-'^2 ^ "''^s)) ^ "''^4' '^here 
-.^l =\J on ((x > 0) A {V;^^ix) = false)) 



= on (^,;^ = TRUE) ^ V ((^>0(^) = P^LSE)) V /\ {V;^^{X) = TRUE 

V Wxec J \xec 

on I {bh = false) /\ ( (V>i(x) = false) V {V^raa^{x) = TRUE) ) j 

V xec J 




-^^l = DO V {V;^^{x) = FALSE) 

xec 

(Using the identity \/ □OP(x) = DO \f P{x)) 

x&c xec 

Recall the finite state game 7^ based on the regions of T. There exists a similar finite state game T*^ based on 
the regions of 7, with results relating 7^ and 7 as the results relating T*^ and 7. Suppose s ^ Sure 

J(#t). Then 

s ^ Purel{(p^) by Corollary 1. Consider any pure playcr-1 strategy tti in 7. By Lemma 9, Reg(s) ^ PureJ (^)^ 
and there exists a runcover O for FinRuns'^ such that for any player-2 pure spoiling strategy vrf against 
(tti) in 7^ from Reg(s), we have that every player-2 strategy in Spoil'^(7ri, '^) is a spoiling strategy 
against tti in the structure "J. 

Let O be such a runcover, and let vTg^ be any such player-2 strategy against (tti) in 7^ from Reg(,s). 
We show that with an appropriately chosen 7r2 in Spoil'^(7ri, vrj ''), player 2 can ensure that in one of the 
resulting runs, player 1 is not blameless, and time converges, and hence player 1 does not have a receptive 
pure strategy in "J. The result follows from observing that if player 1 does not have a pure receptive strategy, 
then it does not have a (possibly randomized) receptive strategy (as a randomized strategy may be viewed 
random choice over pure strategies). 

Consider runs r G Outcomes(s, tti, 7r2) for 712 G Spoil'^(7ri, 7r2 '').. One of the runs must satisfy which 
can happen in one of the following ways. 
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(a) (□0(6/1 = true)) a -^^l A -i^Z'J. The condition -iW'l means that there is some clock x which eventually 
stays strictly greater than 0, and also stays less than or equal to Cx- This is impossible in a time-divergent 
run as clocks can only be reset to 0. Thus, in this run time does not diverge, and player 1 is not blameless. 

(b) {aO{bli = true)) a -^^2 ^ "''^3 ^ The clause -^^l impHes that there is some clock x such that it is 
not greater than Cx infinitely often during transitions (including the originating state). The clause -^W^ 
means that eventually if an action of player 1 is chosen, then either (1) every clock x has value greater 
than Cx during the move (this is not possible if the run satisfies 7^ !F|) , or (2) for some clock x, the 
value of X stays at throughout the move (which means that the move of player-1 is of duration 0). 
This clause ->^l means that eventually if an action of player 2 is chosen, then for every clock x, either 
the clock x has value greater than Cx during the move, or the value of x is strictly less than 1 during the 
move. 

Player 2 can have a strategy which takes moves smaller than 1/2^ during the j-th visit to a region R in 
which every clock x either has value less than 1, or greater than c^. We formalize the above statement. 
The strategy vrj spoils F'^ (tti) from winning in 'j'^ for the objective 'P^ . Given a run prefix r[0../c] of T, let 
7ri(r[0../c]) = (Z\i,ai). Consider a player-2 strategy 7r2 in Spoil'^(7ri, vrj ""), and let ''(RegMap(r[0..fe])) = 
{R2,a2,i)- Let 772 be a strategy in Spoil^(7ri, ) such that for 7r2((r[0..A;]) = {A2,a2) we have A2 < Ai 
and A2 < 1/2^ whenever the following conditions hold. 

i. Each clock x in R2 is either less than 1, or more than Cx', and 

ii. Either 

A. R2 is a region predecessor of Reg(f[A;] + Ai); or 

B. i = 2 and Reg{r[k] + Ai) = R2 

It can be observed from Equation 1 that such a A2 and such a strategy 712 in Spoil'^(7ri, '') always 
exist. The above condition ensures that if a move of player 2 is chosen to a region R in which every clock 
X either has value less than 1, or greater than Cx, then the moves smaller than 1/2^ during the j-th stage 

of the game. The strategy 172 is a spoiling strategy against tti by Lemma 9 as 172 is in Spoil^(7ri, '')• 

Moreover, this strategy ensures that at least one of the resulting runs r satisfies -1^''^. 
i. If f satisfies (□0(6li = true)) A ->^l A -<\i'l, then the run is time convergent, and player 1 is not 
blameless. 

n. If f satisfies {nO{bli = true)) A -iif^ A -^^l A -i<f], then we have that: 

A. Eventually every chosen move of player 2 results in a region R in which every clock x either has 
value less than 1, or greater than Cx, with the duration of the player-2 move being smaller than 
1/2^ during the j-th stage of the game; and 

B. Eventually every chosen move of player 1 is of time duration 0. 
Thus, time is convergent in the run f and player 1 is not blameless. 

Hence, in both cases, player 1 does not have a pure receptive strategy from s (from which it follows that it 
does not have any receptive strategy from s). □ 

3.3 Memory Requirement of Receptive Strategies 

In this subsection we deduce memory bounds on player-1 receptive strategies using Zielonka tree analysis 
(see [DJW97] for details). We first deduce a bound that allows player 1 to win in the finite state concurrent 
game 7^ . A player-1 winning strategy in 7^ can be mapped to a player-1 winning strategy in T by letting 
7rf(f[0..fc]) = {A,ai) such that (a) vrf" (Reg(f[0..fc])) = {R,ai), and (b) Reg(f[A;] + A) = R. Thus, the memory 
requirement for a player-1 winning strategy in T is not more than as for in the finite game 7^ . We note that 
Zielonka tree analysis holds only for turn based games, but since concurrent games with sure winning conditions 
reduce to concurrent games in which both players may use only pure strategies, which in turn reduce to turn 
based games, the Zielonka tree analysis is valid for game T*^ with sure winning conditions. 

Zielonka tree analysis. Let AP be a set of atomic propositions, and let APjv be AP together with the negations 
of the propositions, i.e., AP U{-iP | P € AP}. We say a set B C AP^r is consistent with respect to AP iS for 
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all propositions P G AP, either P E B, or -iP G B (or both belong to ;B). A Muller winning condition T is 
a consistent subset of 2*'^'^. An infinite play satisfies the Muller condition iff the set of propositions (or the 

negation of propositions) occurring infinitely often in the play belongs to J^. Given B C APjv, let \ B denote 
the set {D & \ D C B}. The Zielonka tree Zj^^^ of a Muller condition over AP with B = APjv is defined 
inductively as follows: 

1. If B G T, then the root of Zjr^^ is labelled with B. Let Bi,...,Bk be all the maximal sets in: 
[B* ^ J' \ B* C B, and B* consistent with respect to AP } . The root of Zjtq then has as children the 
Zielonka trees Zj^^Q.^jg. of T \ Bi for 1 < i < k . 

2. If B ^ T, then Zj^^b = where T = {D e 2'^ \ D ^ T and D is consistent with respect to AP}. 

A node of the Zielonka tree Zj^^q is a Good node if it is labelled with a set from T, otherwise it is a Bad 
node. 

Equivalent definition of Zielonka trees. We now present an equivalent definition (which suffices for our 
purposes) of the Zielonka tree Z^^aPjv of ^ Muller condition over AP. Every node of the Zielonka tree Zjr ^Pj^ 
with is labelled with a consistent subset B C APat- A node of the Zielonka tree Zjr^j^p^ is a Good node if it is 
labelled with a set from otherwise it is a Bad node. The root is labelled with APjv- The children of a node 
V are defined inductively as follows: 

1. Suppose is a Good node labelled with By. Let Bi,...,Bk be all the maximal sets in: 
{B* ^ T \ B* C B, and B* consistent with respect to AP } . The node v then has k children (that are all 
Bad) labelled with Bi,. . . ,Bk. 

2. Suppose v is a Bad node labelled with B^. Let Bi,...,Bk be all the maximal sets in: 
[B* e T \ B* C B, and B* consistent with respect to AP } . The node v then has k children (that are all 
Good) labelled with Bi,. . . ,Bk- 

The number mj- of a Muller condition. Let be a a Muller condition that is a consistent subset of 2*^^^ . 
Consider the Zielonka tree Zj^^/^p^^ of We define a number m^- for each node v of 2^j-^aPjv inductively. 



1 if w is a leaf, 



X]i=i "mj- if t; is a Good node and has children fi, . . . , w^, 

^ max{mp , ■ ■ ■ , rn'-p } if v is a Bad node and has children v i , . . . , . 



The number mjr of the Muller condition F is defined to be m p'' where Vr is the root of the Zielonka tree Zf,aPjv • 

Lemma 14 ([DJW97]). Let S-^ he a finite state turn based game. If player 1 has a sure winning strategy for 
a Muller objective F from a state s in , then it has a pure sure winning strategy from s with at most rnp 
memory states. 

Now we use Zielonka tree analysis to deduce memory requirements of receptive strategies. 

Lemma 15. 1. Let (f)i = (OOFi) V {OUF2) V /\^^^(nO/j), where Fi,F2,Ij are boolean predicates on states 
of a finite state game . Player 1 has a pure sure winning strategy from Sure]^(0i) that requires at most n 

memory states for the objective (pi. 

2. Let 02 = {O^F) V Va<m ^ (Ai<n A UOI^ , whcrc F,Fa,Ia,i,Ia are boolean predicates 

on states of a finite state game S'^- Player 1 has a pure sure winning strategy from Sure ^ ((^9) that requires 
at most (n + 1)™ memory states for the objective (p2- 

Proof. We present Zielonka tree analysis for each case (in the figures U = AP^r), and use Lemma 14 to deduce 
the memory bounds. The leaves are depicted with double boundaries in the Figures. Bad nodes are pictured as 
boxes, and Good nodes as ovals. 
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1. Consider the Zielonka tree in Figure 5. The number mp for the leaf nodes is 1, and also for all the Bad 
nodes. The number is hence n for root. 

2. Consider the (partial) Zielonka tree in Figure 6. The leaves (not shown) are Bad nodes. To compute the 
mp number for the root, pick an outgoing edge from each Bad node, and retain all edges from Good nodes. 
For such an edge choice £, let Leaf (2^f,ap^ , ^) denote the number of leaves reachable from the root in 
the resulting graph. The mp number for the root is then max^- (Leaf{Zf:/\pj^,£)). For the Zielonka tree in 
Figure 6, let £ be any such edge choice. It can be seen that each Good node in the resulting graph leads 
to n + 1 reachable Good nodes in the next Good level below it. Also, there are m Good levels. Thus the 
number of leaves reachable from the root in the resulting graph for any £ is {n + 1)"*. □ 

Corollary 2. Let 7 be a timed automaton game with the clocks C , and let 7 be the corresponding enlarged 
game. 

1. Let^'' be as in Lemma 13. Player 1 has a pure sure winning strategy in 7 from Sure ^^ that requires at 

most (|Cj + 1) memory states. 

2. Let (p* be as in Lemma 11. Player 1 has a pure sure winning strategy in 7 from Sure ^ (<P*) that requires at 
most {\C\ + 1)^'^ ' memory states. 

Proof. For both cases, we first Lemma 15 to the finite game structure 'j'^ to obtain a pure sure winning strategy 
ttJ in the finite game structure 7^; and then we obtain a pure sure winning strategy ttJ in the game structure 
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7 by letting 7r[(f[0..fe]) = {A,ai) such that (a) (Reg(r[0..fc])) = {R,ai), and (b) Reg{r[k] + A) = R. Thus, 
the memory requirement for a player- 1 winning strategy in 7 is at as most as that for in the finite game 7^. □ 

3.4 Finite Memory Receptive Strategies for Safety Objectives 

Player 1 can ensure it stays in a set y in a receptive fashion if it uses a receptive strategy that only plays moves 
to Y states at each step. The next theorem uses this fact to characterize safety strategies. 

Theorem 2 (Memory requirement for safety) . Let 7 be a timed automaton game and 7 be the correspond- 
ing enlarged game. Let Y be a union of regions of 7. Then the following assertions hold. 

1. Surei^(ny) = Sure^ ((ny) A ^l*), where = <P* (as defined in Lemma 11), or = #^ (as defined in 

Lemma 13). 

2. Player 1 has a pure, finite-memory, receptive, region strategy in 7 that is sure winning for the safety objective 
Safe(y) at every state in Sur&{{UY) , that requires at most (|C| + 1) memory states (where \C\ is the number 
of clocks in 7). 

3. Player 1 has a pure, finite-memory, receptive, strategy in 7 that is sure winning for the safety objective 
Safe(y) at every state in SureJ(ny), that requires at most {\C\ + 1) • 2^'l'^l+-^ memory states, i.e. ( lg(|C| + 
1) + 3 • |C| + l) bits of memory (where \C\ is the number of clocks in 7). 

Proof. 1. If a state s € Sure j^fPy A (p"), then there exists a playcr-1 winning strategy vri such that given 

any player-2 strategy 7r2, wc have that every run r in Outcomes(s, vri, 7r2) satisfies both OY and Since 
is satisfies, the strategy tti is a receptive strategy by Lemmas 11 and 13. Moreover this strategy ensures 
that the game stays in Y. 

(=^). If s ^ SureJ(ny A^*), then for every player-1 strategy tti, there exists a player-2 strategy 1:2 such that 
one of the resulting runs either violates ny, or If is violated, then tti is not a receptive strategy. If 
□y is violated, then player 2 can switch over to a receptive strategy as soon as the game gets outside Y . 
Thus, in both cases s ^ SureJ(ny). 

2. The result follows from (a) the first part of the lemma, (b) observing that ny A^") is an cj-regular objective, 
(c) Lemma 5, and (d) the first part of Corollary 2 (the memory requirement to ensure ny A^") is the same 
as that to ensure (p"). We note that the characterization of Lemma 11 for receptive strategies gives a memory 
bound of (|C| -|- 1)^ for safe receptive strategies. 

3. It suffices to show that in the structure T, player 1 needs only (3 • \C\ -\- 1) bits to maintain the predicates 
used in the definition of 7 in memory. Then, with the help of these (3 • \C\ -\- 1) bits, player 1 can play as if 
it is playing in T. We assume that player 1 can observe the "flow" during a transition. That is, if the game 
moves from s to s' in a single game transition, player 1 can observe the ""intermediate" states (arising from 
time passage) "in between" s and s' . Then, player 1 needs only one bit for each of the predicates added to 
7 in the construcion of 7. These bits are updated during the flow of the transition. There are (3 • |C| -|- 1) 
predicates. 

□ 

3.5 Memory Requirement of Receptive Region Strategies for Safety Objectives 

We now show memoryless region strategies for safety objectives do not suffice (where the regions are as classically 
defined for timed automata). 

Example 3 (Memory necessity of winning region strategies for safety). Consider the timed automaton game T3 
in Figure 7. The edges a\ are player-1 edges and player-2 edges. The safety objective of player-1 is to avoid 
the location "Bad". It is clear that to avoid the bad location, playcr-1 must ensure that the game keeps cycling 
around the locations lo,li,l2, and that the clock value of y never exceeds 1. Cycling around only in Iq, li cannot 
be ensured by a receptive player-1 strategy as player 2 can take smaller and smaller time steps to take the 
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^2 ^2 

l>y>0^x:=0 l>y>0^x:=0 



Fig. 7. A time automaton game T3 where player-1 does not have receptive region strategies for the safety objective. 

transition. Cycling around only in lo,l2 also cannot be ensured by a receptive player-1 strategy as the clock 
value of would always need to stay below 1 without being reset, implying that more than 1 time unit does not 
pass. Thus, any receptive player-1 strategy which avoids the bad location must cycle infinitely often between 
^0,^1, and also between lo,l2- 

Suppose a player-1 memoryless region strategy ir^ exists for avoiding the bad location, starting from a state 
in the region R = (Zo,aJ = OAO<y< 1). Suppose tt* always proposes the transition a? from the region Ri. 
Then, player 2 can take the 02 transitions with smaller and smaller time delays and ensure that the region is 
R after each 02 transition. This will make time converge, and player 1 will not be blameless, thus vrj is not a 
receptive strategy. Suppose 7r| always proposes the transition a\ from the region Ri (or proposes a non-zero 
time delay move, which has the equivalent effect of disabling the a\ transition). In this case, player 2 can take 
the a\ transition to again ensure that the region is R after the a\ transition. This will result in the situation 
where the Iq, I2 cycle is always taken, time is not divergent, and player 1 is not blameless; thus 7rj[ is again not 
a receptive strategy. 

We now demonstrate that a finite-memory (actually memoryless in this case) receptive player-1 strategy 7r| 
exists from states in the region R= (/o,a; = OAO < y < 1) for avoiding the bad location. If the current state is in 
the region R with the clock value of y being less than 1/2, then player 1 proposes the a\ transition with a delay 
which will make make clock y have a value greater than 1/2. If the current state is in the region R with the clock 
value of y being greater than or equal to 1/2, then player 1 proposes to take the a? transition (immediately). This 
strategy ensures that against any player-2 receptive strategy: (1) the game will cycle infinitely often between 
lo,h, and also between ^01^2, and (2) the clock y will be at least 1/2 infinitely often, and also be reset infinitely 
often, giving us time divergence. Thus, vrj is a receptive memoryless player-1 winning strategy. 

Finally, we demonstrate a player-1 finite-memory receptive region strategy 7r| for avoiding the bad location, 
starting from a state in the region i? = (Zo,a; = OAO<y<l). The strategy acts as follows when at region 
R. If the previous cycle was to h , the strategy n\ proposes to take the edge a\ with a delay which will make 
make clock y have a value greater than 1/2. If the previous cycle was to I2, the strategy 7r| proposes to take the 
edge O]* (immediately). It can be verified that the strategy 7r| requires only one memory state, and is a player-1 
winning receptive region strategy. □ 

Theorem 3 (Memory necessity of winning region strategies for safety). There is a timed automaton 

game 7, a union of regions Y of 7, and a state s such that player 1 does not have a winning memoryless 
receptive region strategy from s, hut has a winning receptive region strategy from s that requires at most (|C|-|-1) 
memory states (where \C\ is the number of clocks in 7), for the objective of staying in the set Y. 
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Proof. Example 3 presents such a timed automaton game. The memory bound follows from Theorem 2. □ 
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